office of internal audits manual

OFFICE OF INTERNAL AUDITS APPALACHIAN STATE UNIVERSITY

AUDIT MANUAL December, 2013

AUDIT MANUAL TABLE OF CONTENTS

SECTION 100 THE INTERNAL AUDIT ACTIVITY

100.1: Audit Activity Charter 100.2: Mission and Scope of Work 100.3: Definition of Internal Auditing 100.4: Role and Accountability 100.5: Professionalism 100.6: Authority 100.7: Organization 100.8: Independence and Objectivity 100.9: Responsibility 100.10: Reporting and Monitoring 100.11: Periodic Assessment 100.12: Audit Types and Services

SECTION 200 THE INTERNAL AUDITOR

200.1: Preserving Objectivity 200.2: Proficiency and Due Professional Care 200.3: Continuing Professional Development 200.4: Personal Conduct, Objectivity, and Confidentiality

SECTION 300 QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

300.1: Quality Assurance and Improvement Program 300.2: Internal Assessments 300.3: External Assessments 300.4: Reporting on QAIP 300.5: OIA Performance Metrics

SECTION 400 ANNUAL AUDIT PLAN

400.1: Development Process 400.2: Approval Process and Annual Certifications

SECTION 500 AUDIT PROCESS

500.1: Planning 500.2: Entrance Conference 500.3: Risk Assessment in Engagement Planning 500.4: Establishing Objectives

December, 2013 Page 2 of 2

APPALACHIAN STATE UNIVERSITY – OFFICE OF INTERNAL AUDITS

SECTION 500 AUDIT PROCESS - CONTINUED

500.5: Engagement Supervision 500.6: Audit Program 500.7: Fieldwork 500.8: Use of Personal Information in Conducting Engagements 500.9: Work Papers 500.10: Audit Report 500.11: Exit Conference 500.12: Audit Report Follow-Up 500.13: Granting Access to Engagement Records 500.14: Retention of Records

SECTION 600 PERSONNEL

600.1: Resource Management 600.2: Minimum Training and Experience 600.3: Chief Audit Officer 600.4: Assistant Director 600.5: Auditor 600.6: IT Auditor 600.7: Audit Assistant

SECTION 700 IDENTIFICATION OF FRAUD

700.1: Identification of Fraud 700.2: Internal Audit Activities and Fraud

SECTION 800 AUDIT COMMITTEE CHARTER

GLOSSARY

(SECTION 100)

THE INTERNAL AUDIT ACTIVITY (100.1) AUDIT ACTIVITY CHARTER Reference: Audit Activity Charter - Updated/Approved - 3/22/2013 IIA IPPF Standard 1000

The Office of Internal Audits (hereafter referred to as OIA) Audit Activity Charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal activity resides with the Board. The Chief Audit Officer (hereafter referred to as CAO) must periodically review the internal audit charter and present it to senior management and the ASU Board of Trustees for approval.

The most recent activity of the OIA was formally documented and updated by the CAO and approved by the Chancellor, the Chair of the ASU Board of Trustees (hereafter referred to as the ASU Board), and the Chair of the ASU Board Audit Committee (hereafter referred to as the Audit Committee) on March 22, 2013. (See Section 100.2-100.11 for discussion of the components of the OIA Audit Activity Charter.)

(100.2) MISSION AND SCOPE OF WORK Reference: Audit Activity Charter - Updated/Approved - 3/22/2013 NC GS 143.79§143-745 through 749

The mission and scope of the OIA is consistent with The Institute of Internal Auditors’ International Professional Practices Framework (IPPF) definition of Internal Auditing. Internal Auditing is an independent and objective assurance and consulting activity that is designed to add value to improve the operations of Appalachian State University (the University). The OIA assists the University in accomplishing its objectives through a systematic and disciplined approach to evaluate and improve the effectiveness of the organization's risk management, control, and governance processes.

Also, as a State Agency, the University is required by NC General Statute to establish a program of internal auditing – meeting the requirements of the statute and in compliance with the current IIA International Standards for the Professional Practice of Internal Auditing (the Standards). The University has established a program of internal auditing that:

1. Promotes an effective system of internal controls that safeguards public funds and assets and minimizes incidences of fraud, waste, and abuse.

(Section 100) General



2. Determines if programs and business operations are administered in compliance with federal and state laws, regulations, and other requirements.

3. Reviews the effectiveness and efficiency of the University and program operations and service delivery.

4. Periodically audits the University’s major systems and controls, including: a. Accounting systems and controls.

b. Administrative systems and controls.

c. Information technology systems and controls.

(100.3) DEFINITION OF INTERNAL AUDITING Reference: IIA IPPF

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes

(100.4) ROLE AND ACCOUNTABILITY Reference: Audit Activity Charter - Updated/Approved - 3/22/2013

The internal audit activity is established by the Audit Committee. The OIA’s responsibilities are defined by the Audit Committee as part of its oversight role.

(100.5) PROFESSIONALISM Reference: Audit Activity Charter - Updated/Approved - 3/22/2013 IIA IPPF

The OIA activity will be governed by The Institute of Internal Auditors’ mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance. A Quality Assurance and Improvement Program (QAIP) is required to ascertain compliance with these Standards. The CAO is responsible for implementing this program by conducting a thorough self-assessment to be followed by an external independent validation.

The IIA Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, the OIA will adhere to Appalachian State University’s relevant policies and procedures and the standard operating procedures manual (Audit Manual).




THE INSTITUTE OF INTERNAL AUDITORS The Institute of Internal Auditors (IIA) is an international association established in 1941, dedicated to the continuing professional development of the individual internal auditor and the internal auditing profession, with members in the US and around the world. The IIA is the internal audit profession’s global voice, standard-setter, and resource for professional development and certification.

The IPPF is the conceptual framework that organizes authoritative guidance promulgated by The IIA. The IPPF consists of Mandatory Guidance and strongly recommended guidance. The first category, Mandatory Guidance, consists of the Definition of Internal Auditing, the Code of Ethics, and the Standards. The second category, Practice Advisories (PA), consists of Attribute and Performance Standards.

For further information on the IPPF, please visit The IIA website (www.theiia.org).

THE IIA CODE OF ETHICS

Principles Internal auditors are expected to apply and uphold the following principles from The IIA.

1. Integrity: The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

2. Objectivity: Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.

3. Confidentiality: Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

4. Competency: Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services.

Rules of Conduct

1. Integrity: Internal auditors 1.1. Shall perform their work with honesty, diligence, and

responsibility.

1.2. Shall observe the law and make disclosures expected by the law and the profession.




1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.

1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

2. Objectivity: Internal auditors 2.1. Shall not participate in any activity or relationship that may

impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.

2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.

2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

3. Confidentiality: Internal auditors 3.1. Shall be prudent in the use and protection of information

acquired in the course of their duties.

3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.

4. Competency: Internal auditors 4.1. Shall engage only in those services for which they have the

necessary knowledge, skills, and experience.

4.2. Shall perform internal auditing services in accordance with the Standards for the Professional Practice of Internal Auditing.

4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.

The CAO will annually ask for written verification by the “Auditor's Annual Code of Ethics Statement” from the OIA staff as to their understanding that they are expected to apply and uphold the Code of Ethics as outlined above.

Upon commencement of employment with the University, all employees will complete an online “Statement of Confidentiality,” indicating that he/she agrees to keep confidential all student education records, employee personnel records, and other personally identifiable information which is deemed to be confidential in accordance with applicable state and federal law and standards, as well as ASU policies and regulations, and will require that its officers, employees, subcontractors, and agents comply with the same. ASU Password Manager (https://password.appstate.edu/pswdchgform/ UniversityPolicies) requires the ASU employee to review and agree to the “Statement of Confidentiality” when establishing a campus network secure password for the first time,




and annually thereafter. Students, faculty, and staff at ASU must also read and agree to the “Computer User Policy” to receive access to campus electronic services.

STANDARDS The OIA adheres to the Standards of The IIA. The Standards are mandatory requirements consisting of:

• Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance, which are internationally applicable at organizational and individual levels.

• Interpretations, which clarify terms or concepts within the Statements.

For further information on the Standards, please visit The IIA website (www.theiia.org).

Best Practice recommendations of the Information Systems Audit and Control Association (www.isaca.org), the Association of College and University Auditors (www.acua.org) and the National Associations of College and University Business Officers (www.nacubo.org) are also considered in internal audits and reviews.

(100.6) AUTHORITY Reference: Audit Activity Charter - Updated/Approved - 3/22/2013

The OIA, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all records, physical properties, and personnel pertinent to carrying out any engagement in accordance with NC General Statute 147-64.7 and Session Law 2010-194, Section 21. All university employees are directed to assist the OIA in fulfilling its roles and responsibilities upon request. The OIA will also have free and unrestricted access to the Audit Committee.

The OIA is not authorized to perform operational duties for the University, initiate or approve accounting or other transactions external to the internal audit office, nor direct the activities of any university employee not employed by the OIA.

(100.7) ORGANIZATION Reference: Audit Activity Charter - Updated/Approved - 3/22/2013

The CAO will report functionally to the Chair of the Audit Committee and administratively (i.e., day to day operations) to the Chancellor. The CAO will communicate and interact directly with the Audit Committee, including in executive sessions and between Audit Committee meetings, as appropriate.

The Audit Committee shall be composed and organized in accordance with the Audit Committee Charter (see section 800) as approved by the ASU Board from time to time.




(100.8) INDEPENDENCE AND OBJECTIVITY Reference: Audit Activity Charter - Updated/Approved - 3/22/2013

The OIA should be free from interference in determining the scope of internal auditing, performing work, and communicating results. To provide for the independence of the OIA, its personnel should report to the CAO, who reports administratively to the Chancellor and functionally to the Audit Committee. The CAO shall have full and independent access to the Chancellor and the Audit Committee. The CAO will confirm to the Audit Committee and the ASU Board, at least annually, the organizational independence of the OIA.

Internal Auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgment.

Objectivity and independence are crucial to the duties of the OIA. Either may be compromised if auditors participate directly in preparing records or accounting transactions, designing systems and operations, or directing activities of any organization personnel not employed by the OIA. Therefore, the OIA staff will serve only in an advisory capacity in these matters.

The CAO will annually ask for written verification by the “Auditor's Annual Independence Statement” from the OIA staff that they have reviewed their personal situations for any possible personal impairment to their independence with respect to ASU. OIA staff should understand their responsibility to make timely written notification to the CAO in the event that any circumstance arises during the course of the year that might impair or appear to impair their independence with respect to any audit.

(100.9) RESPONSIBILITY Reference: Audit Activity Charter - Updated/Approved - 3/22/2013

The OIA is responsible for:

• Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.

• Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.

• Monitoring and evaluating the effectiveness of the organization's risk management processes.

• Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization.




• Assessing information security and information technology controls in all appropriate projects.

• Performing consulting and advisory services related to governance, risk management and control as appropriate for the organization.

• Maintaining a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of the Audit Activity Charter.

• Establishing a quality assurance and improvement program by which the CAO assures the operation of internal auditing activities.

• Issuing periodic reports summarizing results of audit activities to management, the Chancellor, and the Audit Committee.

• Keeping the Chancellor and Audit Committee informed of emerging trends and successful practices in internal auditing.

• Assisting and/or conducting the investigation of suspected fraudulent activities within the organization and notifying the Chancellor and the Audit Committee of the results.

• Serving as a liaison between University management and external auditors.

• As appropriate, providing consulting services to management that add value and promote the best interests of the organization.

• Developing a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submitting that plan to the Chancellor and Audit Committee for review and approval as well as periodic updates.

• Implementing the annual audit plan, as approved, including any special tasks or projects requested by management and the Audit Committee.

(100.10) REPORTING AND MONITORING Reference: Audit Activity Charter - Updated/Approved - 3/22/2013

A written report will be prepared and issued by the CAO or audit designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the Audit Committee and the ASU Board. The OIA is responsible for appropriate follow-up on engagement findings and recommendations.

The internal audit report may include management’s response and corrective action to be taken in regard to the specific findings and recommendations. Management’s response, whether included within the audit report or provided thereafter (e.g., within thirty days) by management of the audited area, should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action recommendations that will not be implemented.

The OIA will be responsible for appropriate follow-up on audit findings and recommendations. All significant findings will remain in an open issues file until they are cleared.




(100.11) PERIODIC ASSESSMENT Reference: Audit Activity Charter - Updated/Approved - 3/22/2013

The CAO will periodically report to the Chancellor and the Audit Committee on the OIA’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Audit Committee.

In addition, the CAO will communicate to the Chancellor and the Audit Committee on the OIA quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.

The most recent Quality Assurance Review (QAR) independent validation was completed in July 2013 where the OIA received the most favorable rating of “Generally Conforms.” Internal quality assessment will occur annually, and the next external quality assessment is scheduled for July 2018.

(100.12) AUDIT TYPES AND SERVICES In order to meet the responsibilities and objectives as set forth in the OIA Audit Activity Charter, it is necessary for the OIA to perform reviews and audits of varying types and scopes depending on the circumstances and requests from management.

Each fiscal year an annual audit plan is developed and submitted to the Audit Committee for review and approval. The audit plan is based on a risk assessment methodology, as well as requests from management (see Section 400). Audit services can be requested by members of the University community through memos or email. The following types of audit services are provided by the OIA.

AUDIT LIAISON OFFICER The CAO serves as Audit Liaison Officer. In accordance with UNC General Administration (UNCGA) requirements [Memorandum 8/14/2013], the CAO will notify the GA Deputy Program Management Officer in the UNC FIT Program whenever any external audits or other regulatory reviews are to be performed. This applies to audits from the Office of State Auditor, external audits of Foundations and other associated entities of the University, program reviews from the State Educational Assistance Authority, federal compliance audits, and reviews by other regulatory entities. The CAO will be informed by the Chancellor, deans, department heads, and officers of all Foundation and associated entities of all external audits and reviews being conducted. Any reports and related work papers resulting from these reviews will be accessible to the CAO for follow-up.

Copies of all University audit findings and recommendations issued to management by external auditors and investigators along with University responses shall be forwarded to the OIA in a timely manner. During the period of resolution, the OIA monitors the progress of the corrective action being implemented. Upon implementation of the




recommendation or other alternative action by management, the CAO performs verification procedures to ensure that the stated plan of action has in fact been implemented and issues a status report.

FINANCIAL AUDITS/REVIEWS A financial audit is a review intended to serve as a basis for expressing an opinion regarding the fairness, consistency, and conformity of financial information with generally accepted accounting principles. Financial audits can be full or limited in scope, depending on the objectives.

Financial audits that are limited in scope are normally performed by the OIA. These audits can include a transaction cycle review of administrative systems such as purchasing, payroll, and payables or a special examination of the financial activities of a decentralized University department.

The North Carolina Office of the State Auditor normally performs the University’s financial audit. The State Auditors perform a full scope financial audit which consists of a review of the financial statements of an entity of sufficient extent to express an opinion on those statements. Such an audit is conducted in accordance with auditing standards generally accepted in the United States of America and the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States. Also, other external accounting firms perform Foundation audits and other associated entity audits.

PERFORMANCE/OPERATIONAL AUDITS AND/OR REVIEWS Performance/operational audits or reviews have a direct relationship to the University departmental operations and activities. These audits/reviews assess risks and evaluate internal controls of operational systems for departments, units, and functions of the University. Operational audit objectives include determining whether operations are functioning efficiently, effectively, and in accordance with management’s intent. The operational audit evaluates the use of resources available to the department, unit or function to determine if management’s objectives and goals are being met in the most effective and efficient manner. Some areas of operational audits include: organizational structure, asset management and security, staffing, and productivity.

COMPLIANCE AUDITS A compliance audit measures the compliance of the client with Federal and State laws and regulations, and/or University policies, such as Travel guidelines or Procurement Card (P-Card) purchasing policies.

INFORMATION SYSTEM CONTROLS AUDITS Information System Controls audits or reviews include reviews of information systems, including general controls, application controls, and disaster recovery. They are conducted to evaluate the quality of the controls and safeguards over the information technology resources of the University. These audits normally consist of reviewing the effective use of information technology resources, adherence to management’s policies,




and encouraging the design and implementation of adequate controls over computer applications and the computing environments in which they are used.

AUDITS/REVIEWS OF INTERNAL CONTROLS Audits and reviews of internal control systems and processes include assessments and testing of 1) UNC FIT required reporting (e.g., Departmental Budget Reconciliations), 2) Campus-wide Fixed Assets, 3) Travel Disbursements, 4) Procurement Card – Data Analysis and Departmental Activity, and 5) Foundation Expenditure review.

AUDIT FINDINGS FOLLOW-UP This includes reviews and procedures related to addressing and correcting audit findings as a result of external audits as well as those from internal audit activity.

SPECIAL INVESTIGATIONS These audits include investigations of internal and external hotline reports as well as any similar types of investigations, regardless of the source. They are often requested by management and focus on alleged, irregular conduct. Reasons for investigative audits include: internal theft, misuse of State property, and/or conflicts of interest.

CONSULTATION/ADVISORY SERVICES The OIA also provides routine consultation and advisory services to University management. This may include, but is not limited to, interpreting policies and procedures, participation on standing committees, limited-life projects, ad-hoc meetings, and routine information exchange. Advisory and consulting engagements include review of existing business processes and strategies, as well as implementations. It also includes evaluation and advice on policies, procedures, process enhancements, and any management requests for reviews of areas considered mutually critical.

YEAR-END WORK – STATE AUDITORS The OIA provides assistance to the NC State Auditors and other external auditors conducting audits of the University, Foundation, and other associated entities of the University. The OIA conducts and/or compiles the following:

• Petty Cash Counts and Bank Certifications

• Listing of Audit Engagements

• Receipt Book Inventory Testing and Verifications

• Fixed Assets Inventory Verifications

• Foundation Expenditure Reviews

OTHER Other special projects may be performed by the OIA as delegated by the UNCGA, the ASU Board, the University Chancellor, or other University management.

(SECTION 200)

THE INTERNAL AUDITOR (200.1) PRESERVING OBJECTIVITY Reference: PA-1120-1, PA-1130-1, PA-1130.A1.1, PA-1130.A2.1

IIA IPPF Standard 1100 states, “The internal audit activity must be independent, and internal auditors must be objective in performing their work.” Standard 1120 states that the individual auditor achieves objectivity when they “have an impartial, unbiased attitude and avoid any conflict of interest.” The following steps should be taken to help preserve objectivity:

1. Internal auditors should not be placed in situations where they feel unable to make objective professional judgments.

2. The CAO should query the internal audit staff on a yearly basis concerning potential conflicts of interest and bias and make staff assignments accordingly to avoid potential problems.

3. Staff assignments should be rotated periodically.

4. Audit results should be reviewed to provide reasonable assurance that the work was performed objectively before communications resulting from the engagement are released.

5. Internal auditors should not accept fees or gifts from employees, clients, vendors, or business associates. To do so is considered unethical and may create the appearance of impaired objectivity. Internal auditors should report the receipt of all material fees or gifts immediately to the CAO.

6. The internal audit staff should notify the CAO if at any time they determine or perceive their objectivity has been impaired. If the CAO determines a staff member’s objectivity has been impaired, the CAO will notify the appropriate parties and will reassign the auditor.

7. Internal auditors are required to wait at least one year before providing assurance in areas for which they were previously responsible. This includes persons who are transferred to or temporarily engaged by internal audit.

8. Internal auditors should not assume operating responsibilities of the University.

9. Internal auditors should inform the CAO about any relatives or close friends that might impair their independence when starting an audit of a particular area.

(Section 200) Operating Policy



(200.2) PROFICIENCY AND DUE PROFESSIONAL CARE Reference: PA-1210-1, PA-1220-1

IIA IPPF Standard 1200 requires that engagements must be performed with proficiency and due professional care. Proficiency refers to the internal auditor’s possession of the knowledge, skills, and other competencies needed to fulfill their individual responsibilities. Due professional care is described in terms of applying the care and skill expected of a reasonably prudent and competent internal auditor and does not imply infallibility.

1. Professional proficiency is the responsibility of the CAO and each internal auditor. The CAO should ensure that persons assigned to each engagement collectively possess the necessary knowledge, skills, and other competencies to conduct the engagement properly.

2. Internal auditors should possess certain knowledge, skills, and other competencies to include:

a. Proficiency in applying internal auditing standards, procedures, and techniques without extensive recourse to technical research and assistance.

b. Proficiency in accounting principles and techniques when working with financial records and reports.

c. Knowledge to identify the indicators of fraud.

d. Knowledge of key IT risks and controls and available technology-based audit techniques.

e. An understanding of management principles to recognize and evaluate the materiality and significance of deviations from good business practices.

f. An appreciation of the fundamentals of subjects such as accounting, economics, commercial law, taxation, finance, quantitative methods, and information technology.

g. Skill in dealing with people and in communicating effectively. Internal auditors should understand human relations and maintain satisfactory relationships with engagement clients.

h. Skill in oral and written communications in order to clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations.

3. Due professional care calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Professional care should, therefore, be appropriate to the complexities of the engagement being performed. In exercising due professional care, internal auditors should be alert to the possibility of intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest. They should also be alert to those conditions and activities where




irregularities are most likely to occur. In addition, they should identify inadequate controls and recommend improvements to promote compliance with acceptable procedures and practices.

4. Due care implies reasonable care and competence, not infallibility or extraordinary performance. Due care requires the auditor to conduct examinations and verifications to a reasonable extent, but does not require detailed reviews of all transactions. Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance needs to be considered whenever an internal auditor undertakes an internal audit assignment.

(200.3) CONTINUING PROFESSIONAL DEVELOPMENT Reference: PA-1230-1

Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development.

1. Internal auditors are responsible for continuing their education in order to maintain their proficiency. They should keep informed about improvements and current developments in internal auditing standards, procedures, and techniques. Continuing education may be obtained through membership and participation in professional societies and attendance at conferences, seminars, college courses, and in-house training programs.

2. Internal auditors not presently holding certifications are encouraged to pursue an educational program that supports their effort to obtain professional certifications; and to demonstrate their proficiency by obtaining appropriate professional certification, such as CIA, CISA, CPA, or CFE.

3. Internal auditors with professional certifications should obtain sufficient continuing professional education to satisfy requirements related to professional certifications held.

4. The internal audit staff is required to record any training they receive such as seminars, conferences, and in-house training programs for each fiscal year.

(200.4) PERSONAL CONDUCT, OBJECTIVITY, AND

CONFIDENTIALITY Reference: The IIA’s Code of Ethics

In the promotion of a sound ethical culture in the internal audit activity, all internal auditors are expected to abide by The IIA’s Code of Ethics, specifically including the four principles of Integrity, Objectivity, Confidentiality, and Competency as set out in the Code. [See Section 100.5.]




In addition, the following guidelines are established for the internal auditor regarding personal conduct and objectivity, and the confidentiality of internal audit or business information acquired through internal audit assignments.

• As a member of the internal auditing staff, you are representing the highest level of management. Conduct yourself in a manner that reflects favorably upon you and those you represent. You are expected to exercise professional skill, integrity, maturity of behavior, and tact in your relations with others.

In general, you are encouraged to be friendly, yet professional, with all university employees without affecting your objectivity. You should guard against any conduct or mannerisms that present an impression that you consider yourself superior to any employee. Acknowledge that the client is an expert concerning their job and area of operations and never imply or communicate that you know the client’s work better than they do. As far as possible, take the position of an independent/objective analyst and advisor. Avoid the image of policing.

• In the course of your assignments, you will be in contact with personnel at all levels of authority and position. At all times, independence in mental attitude is to be maintained. Reports resulting from your efforts should always contain full and unbiased disclosure of all but minor audit findings. Although you report to the internal auditing activity, you have responsibilities to both management and the personnel being audited.

• Much of your work is confidential; therefore, be discreet on and off the job in discussing current or past audits or your assessments of internal audit clients. Judgment should be exercised in the security of internal audit workpapers, programs, company records, and information at all times.

• Never indiscreetly discuss confidential information learned in general job duties such as system changes, reduced working hours, or possible personnel layoffs.

(SECTION 300)

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (300.1) QUALITY ASSURANCE AND IMPROVEMENT PROGRAM Reference: PA-1310-1

A Quality Assurance and Improvement Program (QAIP) is an ongoing and periodic assessment of the entire spectrum of audit and consulting work performed by the internal audit activity. These ongoing and periodic assessments are composed of rigorous, comprehensive processes; continuous supervision and testing of internal audit and consulting work; and periodic validations of conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. This also includes ongoing measurements and analyses of performance metrics (e.g., internal audit plan accomplishment, cycle time, level of staff training and certification, recommendations accepted, and customer satisfaction). If the assessments’ results indicate areas for improvement by the internal audit activity, the CAO will implement the improvements through the QAIP.

The CAO is ultimately responsible for the QAIP, which covers all types of OIA activities, including consulting.

(300.2) INTERNAL ASSESSMENTS Reference: PA-1311-1 Quality Assessment Manual - 6th Edition – pg. 79-80

Internal assessments must include: 1. Ongoing monitoring of the performance of the internal audit activity; and

2. Periodic reviews conducted to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards.

Ongoing monitoring is conducted through: • Supervision of engagements by the CAO.

• Development of audit policies and procedures to be used for each engagement to ensure compliance with applicable planning, fieldwork and reporting standards.

• Feedback from engagement evaluations submitted by clients.

• Circulation of completed work papers and reports for peer review and comment.

(Section 300) QAIP



• Discussion of work progress at each internal staff meeting, to include sharing of ideas and concerns.

• Approval of all final reports and recommendations by the CAO.

Periodic assessments will be conducted through: • Annual risk assessments for purposes of annual audit planning.

• Semi-annual work paper reviews for performance in accordance with internal audit policies and with the Standards (using Tool 17 of IIA QAR Manual).

• Periodic activity and performance reporting to the Chancellor and the Audit Committee.

• Development of metrics and benchmarks to assess performance relative to expectations and standards.

(300.3) EXTERNAL ASSESSMENTS Reference: Quality Assessment Manual - 6th Edition – pg. 80

External assessments will appraise and express an opinion about OIA’s conformance with the Standards and include recommendations for improvement, as appropriate.

An external assessment is required by IIA Standards to be performed, at a minimum, every five years. The CAO will coordinate with the appropriate university and external agencies to fund, plan, prepare and execute the QAR.

The external assessment will consist of a broad scope of coverage that includes the following elements of OIA’s activity:

• Conformance with the Standards, the Code of Ethics, and the OIA’s audit activity charter, policies, procedures, practices, and any applicable legislative and regulatory requirements.

• Expectations of Internal Audit as expressed by the Board of Trustees, Chancellor and Vice Chancellors, and other senior leaders of the University.

• Integration of the OIA activity into University’s governance process (including alignment of audit plans with University goals).

• Tools and techniques used by OIA.

• The mix of knowledge, experiences, and disciplines within the staff, including staff focus on process improvement.

• A determination of whether OIA adds value and improves the University’s operations.

The North Carolina Internal Audit Act of 2007 establishes basic standards for external evaluations. Implementing guidance from the Council on Internal Auditing is published in their IA Manual (www.osbm.state.nc.us).

(Section 300) QAIP



(300.4) REPORTING ON QAIP Internal Assessments – Results of internal assessments will be reported to the Audit Committee and to the Chancellor at least annually.

External Assessments – Results of external assessments will be provided to the Audit Committee and to the Chancellor. The external assessment report will be accompanied by a written action plan in response to significant comments and recommendations contained in the report.

Follow-up – The CAO will monitor appropriate follow-up actions to ensure that recommendations made in the report and action plans developed are implemented in a reasonable timeframe.

Disclosure of Noncompliance - Should the situation arise, the CAO will communicate to the Audit Committee and to the Chancellor the facts and impacts of noncompliance with external assessment standards.

(300.5) OIA PERFORMANCE METRICS The CAO will attempt to evaluate ongoing measurements and analyses of performance metrics relative to the following areas:

1. Customer Perspective: a. Improve awareness of OIA functions and capabilities

b. Improve satisfaction with OIA services

2. Audit Environment Perspective: a. Improve operational effectiveness and efficiency of reviewed processes and

units

b. Develop and execute a risk-based annual audit plan

3. Internal Business Processes Perspective: a. Meet or exceed performance standards of the IIA

b. Execute annual spending plan within assigned targets

4. Learning and Growth Perspective: a. Obtain and maintain professional certification for each staff member

b. Provide adequate and appropriate training opportunities for each staff member

(SECTION 400)

ANNUAL AUDIT PLAN (400.1) DEVELOPMENT PROCESS The OIA shall develop and maintain an annual audit plan containing the projected workload for the Internal Audits staff. The audit plan will be developed based on a risk assessment conducted each year by the CAO with input from the campus community and others. The CAO will solicit input from the Chancellor, Vice Chancellors, deans, directors, external auditors (e.g., State Auditors) and others by conducting interviews and formal memoranda documenting requested risk questionnaires.

Risk assessments may be based on:

• History of problems: A history of weak controls, problems in recent audits, and other issues may increase risk.

• Regulatory compliance and public scrutiny: High public interest and a large volume of regulatory requirements may increase risk.

• Reliance on information technology: Heavy reliance on information technology may increase risk for newly implemented processes, especially if those processes are locally developed and used by inexperienced staff.

• Dollar volume and liquidity of assets: A large dollar volume flowing through a department or unit and a high liquidity of assets generally increases risk.

• Organization stability and changes: Significant organizational changes and lack of continuity in personnel may mean the control system is less effective than in prior periods.

Other sources to consider are ideas from the audit staff, knowledge of the mission functions, and external audit information.

The UNCGA requires that all North Carolina Universities submit their audit plans in a universally prescribed format which divides the audits into categories of: financial audits, information system controls, audits/reviews of internal controls, performance/operational audits, compliance audits, audit follow-ups, special investigations, and special assignments.

(Section 400) Annual Audit Plan



(400.2) APPROVAL PROCESS AND ANNUAL CERTIFICATIONS Certification: Audit Committee Certification Letter CAO Certification Letter

The annual audit plan is reviewed and approved by the Audit Committee each year. The approved audit plan is then submitted to UNCGA along with annual certifications signed by the CAO of Internal Audits and the chairperson of the Audit Committee.

Also during this meeting, the prior year’s audit plan and the results accomplished during the prior year are discussed. This discussion encompasses all audit work completed for the prior year. All significant findings and their resolutions are also discussed. This prior year audit plan and results (including significant findings and resolutions) is submitted to the Office of State Budget and Management’s Council of Internal Auditing each year.




Certification Letter for Board of Trustees

Date [Name of the Board of Governors Chair] UNC Board of Governors P.O. Box 2688 Chapel Hill, North Carolina 27515-2688 Dear _____:

In accordance with the Best Financial Practices Guidelines adopted by the Board of Governors in November 2005, I confirm that the Board of Trustees (BOT) Audit Committee of Appalachian State University is in compliance with the following (any exceptions must be identified and explained in an accompanying statement):

1. Met at least four times this year. 2. Reviewed the results of the annual financial audit with representatives of the

State Auditor’s Office and discussed corrective actions, if needed. 3. Discussed the results of any other audit performed and report/management

letter (i.e., information system audits, investigative audits, etc.) issued by the North Carolina Office of the State Auditor with the State Auditor, the Chief Audit Officer (CAO) of Internal Audits or appropriate campus official.

4. For any audit finding contained within a report or management letter issued by the State Auditor, reviewed the institution’s corrective action plan and the report of the internal auditor on whether or not the institution has made satisfactory progress in resolving the deficiencies noted, in accordance with North Carolina General Statute 116-30.1 as amended.

5. Reviewed all audits and management letter of University Associated Entities as defined in Section 600.2.5.2 [R] of the UNC Policy Manual.

6. Received and reviewed quarterly or four reports from the institution’s CAO of Internal Audit that, at a minimum, reported material (significant) reportable conditions, the institution’s corrective action plan for these conditions and a report once these conditions had been corrected.

7. Received, reviewed, and approved, at the beginning of the audit cycle, the annual audit plan for the Office of Internal Audits department.

8. Received and reviewed, at the end of the audit cycle, a comparison of the annual audit plan with internal audits performed by the internal audit department.

I further attest to the following:

1. The institution’s CAO of Internal Audits reports directly (administratively) to the Chancellor with a clear and recognized functional reporting relationship to the chair of the BOT Audit Committee.

2. The Audit Committee charter defines appropriate roles and responsibilities. One of these responsibilities is the assurance that the institution is performing self-assessments of operating risks and evaluations of internal controls on a regular basis.




3. Internal audit functions are carried out in a way that meets professional standards.

4. The institution’s CAO forwarded copies of both the approved audit plan and the summary of internal audit results, including any reportable conditions and how they were addressed, to UNC General Administration in the prescribed format.

_______________________________ [Name of the BOT Chair] Chair of BOT Audit Committee




Certification Letter for Audit CAO

Date [Name of Board of Governors Chair] UNC Board of Governors P.O. Box 2688 Chapel Hill, North Carolina 27515-2688 Dear _____: As Chief Audit Officer (CAO) of Internal Audits at Appalachian State University, I confirm that we are in compliance with the following (any exceptions must be identified and explained in an accompanying statement):

1. Met and updated the BOT Audit Committee at least four times this year. 2. Attended the financial audit exit conference conducted by the State Auditor’s Office. 3. Discussed the results of any other audit performed and report/management letter

(i.e., information system audits, investigative audits, etc.) issued by the North Carolina Office of the State Auditor with either the State Auditor’s Office or appropriate campus official.

4. I report directly (administratively) to the Chancellor with a clear and recognized

functional reporting relationship to the chair of the BOT Audit Committee. 5. The audit plan was constructed with the consideration of risk and potential internal

control deficiencies and included any audits outlined by the UNC General Administration (UNCGA).

6. Ensured that all internal audits were planned, documented and executed in

accordance with professional standards. 7. Forwarded copies of both the approved audit plan and the summary of internal audit

results to UNCGA in the prescribed format and updated the BOT Audit Committee for completion.

_____________________________ [Name of CAO] CAO of Internal Audits

(SECTION 500)

AUDIT PROCESS (500.1) PLANNING Reference: PA- 2200-1 Templates: Audit Engagement Memo, ASU IIA Standards Checklist Template

The internal auditor plans and conducts the engagement, with supervisory review and approval.

During the planning portion of the audit, the auditor notifies the client of the audit by sending an “Audit Engagement Memo” which identifies the audit purpose and time period covered by the audit. It also notifies the client of certain documentation that will be requested and lets them know that an entrance conference will be scheduled to communicate the details of the planned audit.

During the planning portion of the audit, the auditor also discusses the scope and objectives of the audit in a formal meeting with organization management, gathers information on important processes, evaluates existing controls, prepares the audit program, and plans the remaining audit steps.

As part of OIA’s QAIP, the CAO has established an internal audit activity whose scope of work includes the activities in the Standards and in the Definition of Internal Auditing. To ensure that this occurs, the CAO has implemented the “ASU IIA Standards Checklist Template” to determine IIA Standards compliance with every engagement in the areas of Independence and Objectivity, Planning, Fieldwork, Reporting, and Monitoring Progress.

(500.2) ENTRANCE CONFERENCE Template: Preliminary Survey Questionnaire

An entrance conference should be scheduled early in the planning stages of an audit. The auditor-in-charge is responsible for scheduling this meeting with the audit client’s management and key supervisory personnel. The CAO should also be in attendance. This meeting should set the tone for the audit as well as explain the scope and objectives of the audit. The timing of the engagement work should be discussed and it should also be explained how audit findings and other issues will be handled. The client should have the opportunity to provide a description of their department, available resources (such as personnel, facilities, equipment, systems) and other relevant information as well as any issues or concerns they may have. As a result of the entrance conference, the auditor will complete the “Preliminary Survey Questionnaire.”

(Section 500) Audit Process



This form will be used to document the entrance conference as well as document identified problems or concerns, identified risks and address the probability of significant errors, fraud, and noncompliance. The responses will also be used to determine the critical internal controls that will be evaluated during the audit.

(500.3) RISK ASSESSMENT IN ENGAGEMENT PLANNING Reference: PA-2210.A1-1

Template: Risk Assessment in Engagement Planning

The auditor must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. The auditor also considers:

• Management’s assessment of risks relevant to the activity under review.

• The reliability of management’s assessment of risk.

• Management’s process for monitoring, reporting, and resolving risk and control issues.

The auditor obtains or updates background information about the activities to be reviewed to determine the impact on the engagement objectives and scope. During the entrance conference, the auditor conducts a survey to become familiar with the activities, risks, and controls to identify areas for engagement emphasis, and to invite comments and suggestions from engagement clients. Using the “Risk Assessment in Engagement Planning” template, the auditor summarizes the results from the reviews of management’s assessment of risk, the background information, and any survey work. The summary includes:

• Significant engagement issues and reasons for pursuing them in more depth.

• Engagement objectives and procedures.

• Methodologies to be used, such as technology-based audit and sampling techniques.

• Potential critical control points, control deficiencies, and/or excess controls.

(500.4) ESTABLISHING OBJECTIVES Reference: PA-2210-1

Objectives must be established for each engagement. The auditor establishes engagement objectives to address the risks associated with the activity under review. For planned engagements, the objectives proceed and align to those initially identified during the risk assessment process from which the internal audit plan is derived. For unplanned engagements, the objectives are established prior to the start of the engagement and are designed to address the specific issue that prompted the engagement. The risk assessment during the engagement’s planning phase is used to further define the initial objectives and identify other significant areas of concern. (See section 500.3). After identifying the risks, the auditor determines the procedures to be performed and the scope (nature, timing, and extent) of those procedures. Engagement




procedures performed in appropriate scope are the means to derive conclusions related to the engagement objectives.

(500.5) ENGAGEMENT SUPERVISION Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed. The extent of supervision required will depend on the proficiency and experience of the auditors and the complexity of the engagement. The CAO has overall responsibility for supervising the engagement, whether performed by or for the internal audit activity, but may designate appropriately experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is documented and retained.

Supervision is a process that begins with planning and continues throughout the engagement. The process includes:

• Ensuring designated auditors collectively possess the required knowledge, skills, and other competencies to perform the engagement.

• Providing appropriate instructions during the planning of the engagement and approving the engagement program.

• Ensuring the approved engagement program is completed unless changes are justified and authorized.

• Determining engagement working papers adequately support engagement observations, conclusions, and recommendations.

• Ensuring engagement communications are accurate, objective, clear, concise, constructive, and timely.

• Ensuring engagement objectives are met.

• Providing opportunities for developing internal auditors’ knowledge, skills, and other competencies.

The CAO is responsible for all internal audit engagements, whether performed by or for the internal audit activity, and all significant professional judgments made throughout the engagement.

All engagement working papers are reviewed to ensure they support engagement communications and necessary audit procedures are performed. Evidence of supervisory review consists of the reviewer initialing and dating each working paper after it is reviewed. Other techniques that provide evidence of supervisory review include completing an engagement working paper review checklist or preparing a memorandum specifying the nature, extent, and results of the review.

Engagement supervision also allows for training and development of staff and performance evaluation.




(500.6) AUDIT PROGRAM Reference: PA-2240-1

Template: Engagement Work Program

The audit program establishes the procedures necessary to complete an efficient and effective audit. It includes a detailed plan of the work to be performed as well as the steps required to achieve the audit objectives. The work program also includes methodologies to be used, such as technology-based audit and sampling techniques. There should be sufficient detail for less experienced staff to perform the steps; however it should not be overly detailed whereby it might cause auditors to execute steps routinely and override their judgment. The audit program also offers a place to document “expected target” and “actual” dates for starting and completing the engagement. Total audit hours will also be documented on the audit program.

A well designed audit program provides an outline of the work to be performed, encouraging a thorough understanding of the department being audited. It acts as a guide for assigning work and thereby controlling the project from beginning to end. It creates documentation and evidence that the work was completed. It assists management’s review to ensure quality. It assures management that all risk areas were adequately addressed.

The program should be prepared before the beginning of the fieldwork and approved by the CAO. Audit programs are not set in stone and therefore are modified during the course of the audit depending on test results or new information obtained, with the CAO’s approval.

A template for the “Engagement Work Program” is provided at M:Audit Administrative Info/ASU.OIA Templates/ASU.OIA Audit File Templates/Engagement Work Program.

(500.7) FIELDWORK Fieldwork is the process of gathering evidence and analyzing and evaluating that evidence as identified in the planning stage of the audit.

The purpose of fieldwork is to accumulate sufficient, reliable, relevant, and useful evidence to reach a conclusion concerning the performance expectations, and to support the audit comments and recommendations. Audit evidence is sufficient when it is factual and would convince an informed person to reach the same conclusion. Evidence is reliable if it consistently produces the same outcomes. It is relevant when it is directly related to the audit comments, recommendations, and conclusions. Useful information supports the audit comments and recommendations.




(500.8) USE OF PERSONAL INFORMATION IN CONDUCTING

ENGAGEMENTS Reference: PA-2300-1 ASU website (https://password.appstate.edu/pswdchgform/UniversityPolicies.aspx) Certification: Statement of Confidentiality

Auditors need to consider concerns relating to the protection of personally identifiable information gathered during audit engagements as advances in information technology and communications continue to present privacy risks and threats. Privacy controls are legal requirements in many jurisdictions. Personal information generally refers to data associated with a specific individual or data that has identifying characteristics that may be combined with other information. It includes any factual or subjective information, recorded or not, in any form or media. Personal information includes:

• Name, address, identification numbers, income, blood type.

• Evaluations, social status, disciplinary actions.

• Employee files and credit and loan records.

• Employee health and medical data.

In many jurisdictions, laws require organizations to identify the purposes for which personal information is collected at or before the time of collection. These laws also prohibit using and disclosing personal information for purposes other than those for which it was collected except with the individual’s consent or as required by law. It is important that internal auditors understand and comply with all laws regarding the use of personal information in their jurisdiction. If the internal auditor accesses personal information, it may be necessary to develop procedures to safeguard this information. For example, the internal auditor may decide not to record personal information in engagement records in some situations. The internal auditor may seek advice from legal counsel before beginning audit work if there are questions or concerns about access to personal information.

Appalachian State University maintains strict confidentiality requirements and regulations in compliance with the Gramm-Leach-Bliley Act (GLBA), Family Educational Rights and Privacy Act of 1974 as amended (FERPA), and the Health Insurance Portability and Accountability Act (HIPAA) in addition to other federal and state laws. These laws pertain to the security and privacy of all non-public information that may be considered “confidential” or “sensitive” including student information, employee information, and general University information whether it is in hard copy or electronic form.

All University employees are required to read and agree to the online “Statement of Confidentiality.” The review and agreement to this policy is required when establishing a secure password for the first time and annually thereafter.




(500.9) WORK PAPERS Reference: PA-2330-1 Template: Tickmark Legend

Internal auditors must document relevant information to support the conclusions and engagement results. Work papers document the information obtained, the analyses made, and the support for the conclusions and engagement results. The CAO reviews the prepared work papers. Engagement work papers generally:

• Aid in the planning, performance, and review of engagements.

• Provide the principal support for engagement results.

• Document whether engagement objectives were achieved.

• Support the accuracy and completeness of the work performed.

• Provide a basis for the internal audit activity’s quality assurance and improvement program.

To encourage consistency across the staff, the CAO has established a “Tickmark Legend” defining certain tickmarks that will be used in audit testing.

Work papers should be: • Legible and neatly prepared.

• Understandable without the need for detailed supplementary oral explanations.

• Restricted to matters that are materially important and relevant to the objectives of the assignment.

Information should be clear and complete, yet concise. Normally, each work paper should be limited to only one subject and only one side of the paper should be used. Unnecessary or irrelevant work papers should not be prepared or kept in the files.

Each set of work papers should contain sections for purpose, source, scope, and conclusion. As applicable, include the elements of criteria, methodology, condition, cause, effect and recommendation in the appropriate section.

1. Purpose: The purpose section of the work papers explains why auditors are doing the audit work and what the auditors are trying to accomplish.

2. Source: The work papers should tell the reader where the auditors obtained the information. Auditors should provide enough detail to permit an independent reviewer to find the source of the information recorded in the work paper without assistance.

3. Scope: The work papers should also define the parameters of the information gathered and how the auditors did the work. It provides things such as the total number of items available for selection and the number selected, the basis for choosing what the auditors examined, or the period covered.




4. Conclusion: Auditors draw conclusions by analyzing and interpreting the results of conversations, observations, tests, analyses, information obtained, and other related facts. These conclusions should be documented in the work papers.

(500.10) AUDIT REPORT Reference: PA-2410-1

The principal product of an audit is the final report in which the auditor expresses an opinion, presents the audit findings, and discusses recommendations for improvement. To facilitate communication and ensure that the recommendations presented in the final report are practical, the auditor should discuss the rough draft with the client prior to issuing the final report.

Audit reports are to contain, at a minimum, the purpose, scope, and results of the engagement:

1. Purpose statements describe the engagement objectives and may inform the reader why the engagement was conducted and what it was expected to achieve.

2. Scope statements identify the audited activities and may include supportive information such as time period reviewed and related activities not reviewed to delineate the boundaries of the engagement. They may describe the nature and extent of engagement work performed.

3. Results can include findings or recommendations and action plans.

a. Audit Findings should include the nature of the findings, the criteria used to determine the existence of the condition, the root cause of the condition, the significance of its impact, and what the internal auditors (with management’s input) recommend should be done to improve the situation. Fully developed findings are easily understood, convey impact and significance to appropriate management, and enhance the likelihood and sustainability of improvement action. The internal auditor may communicate less significant observations or recommendations informally as “oral findings” or “best practice recommendations.”

b. Recommendations and action plans are based on the internal auditor’s findings. They call for action to correct existing conditions or improve operations and may suggest approaches to correcting or enhancing performance as a guide for management in achieving desired results. Recommendations can be general or specific. For example, under some circumstances, the internal auditor may recommend a general course of action and specific suggestions for implementation. In other circumstances, the internal auditor may suggest further investigation or study.




Audit reports may also include background information and summaries. Background information may identify the organizational units and activities reviewed and provide explanatory information.

The internal auditor may communicate engagement client accomplishments or “notable strengths,” in terms of improvements since the last engagement or the establishment of a well-controlled operation. This information may be necessary to fairly present the existing conditions and to provide perspective and balance to the engagement final communications.

The internal auditor may communicate the engagement client’s views about the internal auditor’s conclusions, opinions, or recommendations as a “response” to the auditor’s finding.

Certain information is not appropriate for disclosure to all report recipients because it is privileged, proprietary, or related to improper or illegal acts. Disclose such information in a separate report. Distribute the report to the Board if the conditions being reported involve senior management.

The CAO should review and approve the final audit report. The CAO and the auditor-in-charge of the engagement should sign all final reports.

The final audit report is addressed to the Vice Chancellor who is responsible for the department being audited. A copy is sent to the management of the department in addition to the Chancellor. The Board of Trustees Audit Committee receives a copy at the quarterly Audit Committee meeting. Copies of all audit reports are also sent to the Council of Internal Auditing (part of the North Carolina Office of State Budget and Management), UNCGA, and the State Auditor’s Office.

(500.11) EXIT CONFERENCE Reference: PA-2440-1

The internal auditor-in-charge is responsible for scheduling the exit conference before the CAO issues the final engagement communications. The goal is to have knowledgeable and accountable audit, client, supervisory, and management personnel attend the meeting who can make decisions and implement agreed improvements. The CAO and the auditor-in-charge as well as any staff auditors the CAO deems necessary should also attend the exit conference. The purpose of the exit conference is to inform management of the audit results and the report process, reach final agreement on findings, and finalize planned improvement actions. Management can also provide an update on any actions already taken.

Management of the audited activity should have an opportunity to review a draft of the engagement issues, observations, and recommendations. These discussions and reviews help avoid misunderstandings or misinterpretations of fact by providing the opportunity for the engagement client to clarify specific items and express views about the observations, conclusions, and recommendations.




(500.12) AUDIT REPORT FOLLOW-UP Reference: PA-2500-1, PA-2500.A1-1

The CAO maintains a spreadsheet to monitor the disposition of findings communicated to management (located in M:Audit Administrative Info/ASU Finding Follow-up). If certain reported findings are significant enough to require immediate action by management or the Board, the internal audit activity monitors actions taken until the observation is corrected or the recommendation implemented. The internal audit activity may effectively monitor progress by:

• Addressing engagement findings to appropriate levels of management responsible for taking action.

• Receiving and evaluating management responses and proposed action plan to engagement findings during the engagement or within 15 days after the engagement results are communicated.

• Receiving periodic updates from management to evaluate the status of its efforts to correct observations and/or implement recommendations.

• Reporting to senior management and/or the Board on the status of responses to engagement findings.

The CAO schedules follow-up activities as part of developing engagement work schedules. A follow-up audit should be scheduled for any audit that had significant findings within six months to one year after the issuance of the final audit report. Follow-up is a process by which internal auditors evaluate the adequacy, effectiveness, and timeliness of actions taken by management on reported findings, including those made by external auditors and others. This process also includes determining whether senior management and/or the Board have assumed the risk of not taking corrective action on reported observations. Follow-up audits involve inquiry of management and usually some limited test work. Follow-up audit reports outline the findings that have been completely resolved, those that are partially resolved, and the outstanding or new items that have not been addressed. Follow-up activities should be appropriately documented. Follow-up audits for State Audit reports are required to be completed within 90 days of the issuance of the final report.

(500.13) GRANTING ACCESS TO ENGAGEMENT RECORDS All reporting from the OIA should include the following footer:

“This document and related work papers may be subject to the North Carolina Public Records Act (NC Gen Stat 132-1 et seq. and NC Gen Stat 116-40.7). The office of record for this document is the Office of Internal Audits. Please refer requests for release to this office. Release of copies to parties external to the University should be coordinated with the Office of Internal Audits.”




(500.14) RETENTION OF RECORDS ASU OIA retains records in accordance with ASU Policy Manual 105.1 – “Records Retention Schedule” as managed by ASU Records Management.

(SECTION 600)

PERSONNEL (600.1) RESOURCE MANAGEMENT The CAO should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved audit plan.

1. Staffing plans and financial budgets, including the number of auditors and the knowledge, skills, and other competencies required to perform their work, should be determined from the annual audit plan, administrative activities, education and training requirements, and audit research and development methods.

2. The CAO should establish a program for selecting and developing the human resources of the internal audit activity. The program should provide for: • Developing written job descriptions for each level of the audit staff.

• Selecting qualified and competent individuals.

• Training and providing continuing educational opportunities for each internal auditor.

• Appraising each internal auditor’s performance at least annually.

• Providing counsel to internal auditors on their performance and professional development.

(600.2) MINIMUM TRAINING AND EXPERIENCE North Carolina General Statute 143-739, which was adopted during the 2007 legislative session, established the qualifications for any internal auditor employed by a State agency.

This law was modified in 2013 [General Assembly of NC, Session 2013, Session Law 2013-406, House Bill 417] and now states that regarding the appointment and qualifications of Internal Auditors: ”Any State employee who performs the internal audit function shall meet the minimum qualifications for internal auditors established by the Office of State Personnel, in consultation with the Council of Internal Auditing.”

For an Internal Auditor, the OSHR site states minimum training and experience as follows: “Bachelor’s degree in accounting or discipline related to the program area, with nine credit hours of accounting coursework; or equivalent combination of training and experience. All degrees must be received from appropriately accredited institutions.”

For the OIA Director and OIA Manager, the OSHR site states minimum training and experience as follows: “Bachelor’s degree in accounting, business, finance or other

(Section 600) Personnel



discipline related to the area of assignment with 12 credit hours of accounting coursework and three years of professional accounting experience, of which at least two are supervisory (one year supervisory for Audit Manager); or equivalent combination of training and experience. Some positions may require additional credit hours of accounting coursework. All degrees must be received from appropriately accredited institutions.”

(600.3) CHIEF AUDIT OFFICER The CAO is responsible for the administration of the internal audit activity. The CAO is responsible for properly managing the internal audit activity so that:

a. Internal audit work fulfills the specific and general purposes and responsibilities approved by management and the Board.

b. Internal audit resources are efficiently and effectively employed.

c. Internal audit operations conform to IIA IPPF Standards and Definition of Internal Auditing.

The CAO establishes plans to carry out the responsibilities of the internal audit activity. The work includes directing a comprehensive audit program that provides assurance and consulting services designed to add value and improve the organization’s risk management, control, and governance processes.

The CAO is responsible for: • Directing the identification and evaluation of the organization’s audit risk areas

and overseeing the development of the annual audit plan.

• Assessing the adequacy of staff resources and expertise in relation to the annual audit plan and recommending enhancements where necessary.

• Overseeing the department’s QAIP.

• Directing internal audit staff in the planning, organizing, directing, and monitoring of internal audit operations, including assisting in hiring, training, and professional development, evaluating staff, and taking corrective actions to address performance problems.

• Directing the overall performance of audit procedures, including identifying and defining issues, developing criteria, reviewing and analyzing evidence, and documenting client processes and procedures.

• Directing the audit staff in conducting interviews, reviewing documents, developing and administering surveys, composing summary memos, and preparing working papers.

• Directing the audit staff in the identification, development, and documentation of audit issues and recommendations.

• Communicating the results of audit and consulting projects via written reports and oral presentations to management and the Board of Trustees Audit Committee.




• Developing and maintaining productive client, staff, management, and board relationships through individual contacts and group meetings.

• Pursuing professional development opportunities, including internal and external training and professional association memberships, and sharing information gained with co-workers.

• Representing internal auditing at management and board meetings and with external organizations.

• Performing related work as assigned by the Board of Trustees Audit Committee.

• Benchmarking audit work processes and promoting continuous process improvement.

(600.4) ASSISTANT DIRECTOR The Assistant Director position aids in managing the auditing operation by either assisting with or having full responsibility for: the establishment of long-term and short-term goals and objectives; the formulation of audit programs and policies; and the overall direction of audit staffing training and development. The position assists with or has full responsibility for audit program design and/or changes to ensure compliance with federal and state laws, audit standards, and legal opinions. The position must tactfully deal with controversial issues/problems and maintain successful working relationships with clients, other employees, administrators, and the public. The position is responsible for self-development by demonstrating a commitment to continuous learning, self-awareness and performance through feedback. The position also has responsibility for conducting advanced professional auditing assignments and working on compliance, departmental, investigative, and other audits as required.

(600.5) AUDITOR The Auditor position has responsibility for conducting advanced professional auditing assignments. Types of audits performed include financial, compliance, performance, investigative and follow-up audits. The scope of the position’s contact and responsibility extends to all University related functions. This position is required to work with a minimum of supervision, requires substantial knowledge and skills in the auditing field, and must be able to complete an audit from beginning to end. Audit assignments will include annual financial and/or compliance audits of University functions such as New River Light and Power, the Department of Athletics, the University Bookstore, Food Services, Financial Aid, and other University accounts. This position will also provide assistance as needed to the State Auditor’s office in their annual financial audit of the University. This position will also work on investigations of suspected irregular financial activities of University employees as well as performance and operational audits of University functions.




(600.6) IT AUDITOR The primary purpose of the IT Auditor position is to assist the OIA in providing the University with reasonable assurance that the proper controls are in place to protect the confidentiality, integrity and security of the University’s information systems. This position is responsible for conducting audits of information systems configurations and environments of the University mainframe computers and the user financial areas. Included are audits of the IT general controls, including access controls, program maintenance, disaster recovery plans, security issues, and systems software in the Computer Center and user financial areas. This position works closely with ASU’s Information Technology Services and the Office of the State Auditor during any and all information systems audits. This position is also responsible for reviewing controls on other campus stand-alone systems, extracting data for financial and performance audits performed by other audit staff, and working on compliance, departmental, investigative, and other audits as required.

(600.7) AUDIT ASSISTANT The Audit Assistant position has administrative duties as well as audit related duties. This position is responsible for maintaining the office budget, ordering supplies, maintaining files, preparing and binding audit reports and assisting with maintaining and publishing office policies and procedures. This position is also responsible for completing annual cash counts on all University petty cash and imprest cash funds, conducting an annual review of the procedures and receipt books for all cash collection points, and reviewing and analyzing all computer access actions for terminated employees. This position will also have audit related duties in regards to University P-Cards, Foundation expenditures, travel expenditures, inventory counts and other duties deemed necessary by the CAO.

(SECTION 700)

IDENTIFICATION OF FRAUD (700.1) IDENTIFICATION OF FRAUD The OIA supports management’s efforts to establish a culture that embraces ethics, honesty, and integrity. The OIA assists management with the evaluation of internal controls used to detect or mitigate fraud, evaluates the organization’s assessment of fraud risk, and is involved in any fraud investigations.

A. Prevention: Establishing a culture of integrity is a critical component of fraud control. Senior management must set the tone at the top and model the highest level of integrity. The internal auditors may advise management on methods to ensure integrity. As part of their assurance activities, internal auditors watch for potential fraud risk, may assess the adequacy of related controls, and make recommendations for improvement.

B. Detection: Because the internal auditors are exposed to key processes throughout the University and have open lines of communication with the senior administration and the Audit Committee, they are able to play an important role in fraud detection. The OIA is responsible for responding to issues raised on hotlines, employee tips or through other processes that may lead to the detection of fraud; however, audit procedures alone, even when carried out with due professional care, do not guarantee the detection of fraud.

C. Investigation: The investigation of fraud consists of performing procedures necessary to determine whether fraud, as suggested by the indicators, has occurred. It includes gathering sufficient information about the specific details of a discovered or suspected fraud. Internal auditors, lawyers, investigators, security personnel, and other specialists from inside or outside the organization are the parties that usually conduct or participate in fraud investigations. If a fraud is detected and investigated and it appears there is sufficient evidence, the CAO will notify the University Police and the State Bureau of Investigation (SBI). At this point the OIA may continue with the investigation, issue a report of its findings and conclusions, or turn the investigation over to the SBI. Internal auditors are not expected to have knowledge equivalent to that of a person whose primary responsibility is detecting and investigating fraud.

Access to employee computer files and email accounts will require authorization from the University Attorney to the Chief Information Officer of Information Technology Services.

(Section 700) Identification of Fraud



(700.2) INTERNAL AUDIT ACTIVITIES AND FRAUD Reference: IPPF Practice Guide – Internal Auditing and Fraud – December 2009

There are various approaches that the CAO may use in considering fraud while conducting internal audit activities:

• Auditing management controls over fraud. This includes policies, awareness practices, tone at the top, board and senior management governance (the control environment), as well as related practices, such as risk assessment, assessing the adequacy of preventive and detective controls in managing fraud risk within organizational tolerances, incident management, investigations, and recovery practices. Internal auditing should allocate resources to fraud-related activities in line with the risk of fraud relative to other organizational risks.

• Auditing to detect likely fraud by testing high-risk processes, with the intention of looking for indicators of fraud, within the organization and with external business relationships. For example, testing payroll for phantom employees, or testing vendor invoices for overcharges, matching vendor addresses with employee addresses to detect fictitious vendors, or reviewing databases for duplicate transactions.

• Considering fraud as part of every audit. For example, brainstorming about fraud risk, evaluating fraud controls, designing procedures that consider the fraud risk, or evaluating errors to determine whether they could be an indication of fraud. The cumulative results may provide perspective on whether management’s awareness and risk management programs have been implemented effectively across the organization.

• Consulting assignments help management identify and assess risk and determine the adequacy of the control environment for process reviews, new business ventures, or IT applications. Facilitation of management’s self-assessment is another example of evaluating fraud risk, ensuring controls are in place to mitigate those risks, and who is monitoring results.

(SECTION 800)

AUDIT COMMITTEE CHARTER BACKGROUND Appalachian State University has chosen to use the North Carolina Office of the State Auditor (the “State Auditor”) to conduct its annual financial audits. The State Auditor determines staff assignments for individual audits, including rotation of Audit managers for each audit client. In addition, constituent institutions have internal audit departments to address the institution’s operating risks and internal controls, review the effectiveness and efficiencies of programs, conduct investigative audits when necessary, and perform other audit-related activities. The UNC Board of Governors has required that the Board of Trustees of each UNC constituent institution have an active committee generally responsible for audit activities and reporting to the Board of Trustees and UNC Board of Governors.

PURPOSE The primary purpose of the Audit Committee of the Appalachian State University Board of Trustees (the “ASU Board”) is to assist the ASU Board in fulfilling its oversight responsibilities for (i) the integrity of the financial statements of the University, (ii) the performance of the University’s internal audit function, and (iii) the assurance that the University is performing self-assessment of operating risks and evaluation of internal controls on a regular basis.

AUTHORITY The Audit Committee of the ASU Board has authority to conduct or authorize investigations into any matters within its scope of responsibility, including resolving any disagreements between University administration and the auditor regarding financial reporting and any audit findings and recommendations.

ORGANIZATION The Audit Committee shall be a standing committee of the ASU Board consisting of at least three (3) and no more than five (5) members of the ASU Board. Each Audit Committee member must be (i) independent of the University’s administrative and executive officers and (ii) free of any relationship that would impair such independence.

If possible, at least one member of the Audit Committee must be a financial expert; the other members should be able to understand financial information and statements. For this purpose, a “financial expert” is someone who has an understanding of generally accepted accounting principles and financial statements; experience in applying such principles; experience in preparing, auditing, analyzing, or evaluating financial information; experience with internal controls and procedures for financial reporting; or an understanding of the audit committee function. It is desirable for the role of financial

(Section 800) Audit Committee Charter



expert to be rotated no less frequently than biannually. The members of the Committee shall be selected in the same manner as other committees of the ASU Board.

MEETINGS The Audit Committee shall meet at least four (4) times a year and may hold additional meetings as circumstances require. The Audit Committee will invite representatives of University administration, auditors, legal counsel, and others to attend meetings and provide pertinent information as necessary. It will also hold private meetings with the University’s Chief Audit Officer of Internal Audits (the “CAO”) at least annually. Meeting agendas shall be prepared and provided in advance to members, along with appropriate briefing materials. Minutes of the meetings shall be prepared.

DUTIES AND RESPONSIBILITIES The principal duties and responsibilities of the Audit Committee shall be as follows:

• Meet at least four times during the year.

• Review the results of the University’s annual financial audit with the State Auditor or a designated representative thereof.

• Discuss the results of any other audit performed and report/management letter (i.e., information systems audits, investigative audits, etc.) issued by the State Auditor with the State Auditor or his staff, the CAO, or the appropriate campus official(s).

• For any audit finding contained within a report or management letter issued by the State Auditor, review the institution’s corrective action plan and receive a report once corrective action has taken place.

• Discuss the results of any audit performed by independent auditors and, if there were audit findings, review the institution’s corrective action plan and receive a report once corrective action has taken place.

• Review all audit reports and management letters issued with respect to entities associated or affiliated with the University.

• Institute and oversee special investigations as needed.

• Have a functional reporting relationship with the CAO to enable the CAO to meet privately to discuss professional issues freely with the Audit Committee and its chairperson, even though the CAO also will report administratively to the Chancellor.

• Receive quarterly reports from the CAO that, at a minimum, report material (significant) reportable conditions and the corrective action plan for these conditions.

• Receive, review, and approve a summary of the annual internal audit plan for the University at the beginning of the annual audit cycle. The annual audit plan

(Section 800) Audit Committee Charter



should be based upon the results of an institutional risk assessment, testing of internal controls, and audits.

• Receive and review an annual summary of audits performed by the CAO’s office and a comparison of the plan set forth at the beginning of the cycle to the audits actually performed.

• Review internal audit reports when issued by the CAO.

• Ensure that internal audit functions are conducted in accordance with professional standards, including assurance that the University is performing self-assessment of operating risks and evaluation of internal controls on a regular basis.

• Review and consult with the Chancellor in the appointment, replacement, or dismissal of the CAO and the compensation package.

• Resolve, or assist the ASU Board in resolving, disagreements between the CAO and University administration concerning audit findings and recommendations.

• Engage, in accordance with state laws, rules and regulations, independent counsel or other advisors if and as necessary to carry out its duties. The University shall provide funding as determined by the Audit Committee, subject to the oversight of the ASU Board, for payment to any such advisors that may be engaged by the Audit Committee.

• Prepare and forward to the UNC Board of Governors an annual summary of the work performed by the Audit Committee, including a report of the work of the University Internal Auditor that indicates any identified material reportable conditions and how they were addressed.

• Confirm annually that all responsibilities outlined in this charter have been carried out as part of the annual internal assessment.

• Perform such other duties and tasks as may be assigned or requested from time to time by the ASU Board.

AMENDMENTS The Audit Committee, with the assistance of the CAO and University legal counsel should annually review and assess the adequacy of the Audit Committee Charter, and prepare any suggested revisions or additions to the ASU Board for its consideration. Revisions or additions to this Charter shall be made and effective as approved by the ASU Board.

AUDIT MANUAL GLOSSARY



REFERENCE TO ABBREVIATIONS

ASU Board ASU Board of Trustees

Audit Committee ASU Board of Trustees Audit Committee

CAO Chief Audit Officer

IIA Institute of Internal Auditors

IPPF International Professional Practices Framework (of the IIA)

IT Information Technology

NC GS North Carolina General Statute

OIA Office of Internal Audits (of ASU)

OSHR Office of State Human Resources

PA Practice Advisory (of the IPPF)

P-Card Procurement card, or purchasing card

QAIP Quality Assurance and Improvement Program

QAR Quality Assurance Review

SBI North Carolina State Bureau of Investigation

Standards International Standards for the Professional Practice of Internal Auditing (of the IIA)

the University Appalachian State University

UNC University of North Carolina (as a system of public institutions)

UNCGA University of North Carolina General Administration

office of internal audits manual

Documents